The DDoS attack against Dyn on Oct. 21 may not have been anything new or sophisticated to those steeped in cybersecurity, but it should serve as a significant wake-up call to retailers this holiday season and beyond, say experts. The hack — which led to vast consumer trouble loading major websites such as Etsy, AirBnB, Netflix and Twitter — was particularly notable because it appears to have relied on infecting internet of things (IoT) devices such as cameras, monitors and routers with software meant to flood targets with overwhelming traffic.
[ Related: DDoS attack shows dangers of IoT ‘running rampant’ ]
This should concern retailers that are investing heavily in IoT technology in order to gain operational efficiencies and enhance customer loyalty — everything from in-store personalization through beacons and other mobile technologies to remote inventory of consumer’s items, says Mandeep Khera, CMO of Arxan.
Most of these IoT devices, including edge devices, cameras, gateways and mobile applications, are easy pickings for the hackers, he says. “As they roll out these sensors and adaptors to connect to consumer appliances, linking it to grocery carts, and eventually even to cars, all of these are connected at the gateway level,” he says. “Hackers can get into the gateway to the back-end server where data is transmitted.”
This leads to a serious conundrum: On the one hand, retailers are using IoT devices to provide more contextually relevant engagement and meaningful experiences for their customers in order to build loyalty and compete with online behemoths such as Amazon. On the other hand, if IoT devices cause vulnerabilities that deny access to a retailer’s ecommerce sites or mobile apps, it could be devastating, says Capgemini’s Bill Lewis: “For a retailer, the online channel is how they drive revenue, growth, customer engagement, stay competitive, and drive their business,” he says. “Having the ability to keep this channel available is as important if not more important than having loss prevention in the brick and mortar stores.”
IoT vulnerabilities speak to larger security issues
DDoS attacks are part of a “broader issue about the way in which organizations set themselves up to utilize the internet,” says Sean Curran, director of security and infrastructure for business consulting firm West Monroe Partners, who points out that vendors and retailers are not necessarily thinking about security first. “There is the widespread use of a single service provider for internet services, for example, and companies developing both hardware devices and software products are thinking less about security and more about getting into market first.”
The problem with IoT devices, he adds, is that it’s not that easy to “bolt on” security after the device is already developed and connected. “It’s been proven time and time again that as these devices become more and more connected, they are being exposed to attacks in the business that these devices have never been secured against,” he explains. “Everything is done at a software level — the IoT hardware is not hardwired to do a function. This allows changes on the fly, but the problem then becomes based in vulnerable software.”
Security was almost an afterthought for retailers, adds Khera, because everyone has focused on building and implementing IoT-enabled apps as quickly as possible. “Security has been ignored because the IoT devices themselves don’t cause much of an impact if stolen, but the devices themselves are far from the only issue,” he explains. “What retailers need to do is look at entire infrastructure from endpoint to gateway, to the point of communication and the back-end server where data is transmitted, and come up really with an overall infrastructure policy on IoT.”
According to Khera, while IoT technology remains exciting and is creating tremendous opportunity for retailers looking for ways to fight Amazon, there are simply a lot of unknowns that have yet to be addressed. “What retailers need to do is look at entire infrastructure from endpoint to gateway, to the point of communication and the back-end server where data is transmitted, and come up really with an overall infrastructure policy on IoT,” he says.
The future of IoT security
Gartner Research predicts that by 2020 there will be 25 billion connected devices worldwide — and these IoT devices are less protected than traditional computer platforms, says Capgemini’s Oz Deally, who emphasizes that IoT involves “computers that can execute code and be enlisted in the bot army.” Retailers need to make security the highest priority, as hackers are already staking out their attacks with these vulnerabilities, he explains. “A typical IoT framework, at a very high level, consists of edge devices like sensors, adapters and beacons; a gateway to communicate with these devices; and a back-end server in the cloud or on-premise,” he says. “Retailers need to take each section separately and start addressing security issues for each, before it’s too late.”
[ Related: Let’s get serious about IoT security ]
Before purchasing IoT devices and technologies, the CIO or CISO should also be assured that the manufacturer is taking responsibility to secure them as much as possible, from installation and service management until retirement, says Deally.
For the retail CIO and CISO, there are budget issues at play that can keep IoT security on the back burner, cautions Khera. “Management will say, ‘You’re crazy, I can’t give you all of this money,” he says. “That’s part of the problem — I recently was part of a roundtable with CISO’s who said they had not moved on securing IoT and mobile apps, even though they know attacks are coming, because a lack of a visible attack and a lack of regulation doesn’t exist to help them get budgets approved.” That will likely change due to the highly-publicized Oct. 21 attack, he says.
[ Related: IoT security suffers from a lack of awareness ]
However, there is still a long way to go in terms of retail IoT security, he adds. By the end of next year, retail organizations may not yet be much farther along than where they are today in terms of building the cybersecurity defenses required to handle the needs of IoT. “The security controls are complex and costly, and the economic model has to shift to where cybersecurity is viewed as one of the mitigating measures to substantial risk to the retail company in terms of their their digital future.”